Bug 211006: Make Bugzilla use SHA-256 instead of crypt() to store hashed passwords in the database

Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=LpSolit
author: mkanat%bugzilla.org <> 2009-01-02 10:11:47 +0100
committer: mkanat%bugzilla.org <> 2009-01-02 10:11:47 +0100
commit: 179e06d7c93760d9764bed65295a95fe0930fc4d (patch)
tree: 1692be72b3e74370d175aed81372b7462b55f7df /Bugzilla/Auth
parent: 5c8dab4502c311a7d823171b4c89aaffc2e9761b (diff)
download: bugzilla-179e06d7c93760d9764bed65295a95fe0930fc4d.tar.gz
bugzilla-179e06d7c93760d9764bed65295a95fe0930fc4d.tar.xz
1 files changed, 10 insertions, 0 deletions
diff --git a/Bugzilla/Auth/Verify/DB.pm b/Bugzilla/Auth/Verify/DB.pm
index 0f73063d2..695671a31 100644
--- a/Bugzilla/Auth/Verify/DB.pm
+++ b/Bugzilla/Auth/Verify/DB.pm
@@ -64,6 +64,16 @@ sub check_credentials {
     # password tokens they may have generated.
     Bugzilla::Token::DeletePasswordTokens($user_id, "user_logged_in");
 
+    # If their old password was using crypt() or some different hash
+    # than we're using now, convert the stored password to using
+    # whatever hashing system we're using now.
+    my $current_algorithm = PASSWORD_DIGEST_ALGORITHM;
+    if ($real_password_crypted !~ /{\Q$current_algorithm\E}$/) {
+        my $new_crypted = bz_crypt($password);
+        $dbh->do('UPDATE profiles SET cryptpassword = ? WHERE userid = ?',
+                 undef, $new_crypted, $user_id);
+    }
+
     return $login_data;
 }
author	mkanat%bugzilla.org <>	2009-01-02 10:11:47 +0100
committer	mkanat%bugzilla.org <>	2009-01-02 10:11:47 +0100
commit	179e06d7c93760d9764bed65295a95fe0930fc4d (patch)
tree	1692be72b3e74370d175aed81372b7462b55f7df /Bugzilla/Auth
parent	5c8dab4502c311a7d823171b4c89aaffc2e9761b (diff)
download	bugzilla-179e06d7c93760d9764bed65295a95fe0930fc4d.tar.gz bugzilla-179e06d7c93760d9764bed65295a95fe0930fc4d.tar.xz